FreeBSD 15.0-RELEASE Release Notes

The Kerberos v5 Authentication Service, krb5kdc(8), has gained a new kdc_restart variable under daemon(8). Set kdc_restart="YES" in rc.conf(5) to auto restart kdc on abnormal termination. Set kdc_restart_delay="N" to the number of seconds to delay before restarting the kdc. abc4b3088941

The daily periodic(8) scripts now show less context in emails by default to reduce output size. The behavior can be controlled by the daily_diff_flags variable in periodic.conf(5). Similarly, the changes shown by the security scripts show less context than previously, controlled by the security_status_diff_flags variable in periodic.conf(5). 538994626b9f, 37dc394170a5, 128e78ffb084

The bsnmpd(1) daemon no longer supports legacy UDP transport. Users, that have not updated their /etc/snmpd.config since 12.0-RELEASE or older will need to merge in the new configuration. In particular, the transport definition shall be changed from begemotSnmpdPortStatus OID to begemotSnmpdTransInetStatus. 9ba51cce8bbd

The FreeBSD-base repository is now defined in /etc/pkg/FreeBSD.conf, disabled by default. Systems which installed with pkgbase prior to 15.0-RC1 (if running releng/15.0) or November 15th (if running from stable/main snapshots) will need to remove the definition of the FreeBSD-base repository from /usr/local/etc/pkg/repos/ and replace it with a single line FreeBSD-base: { enabled: yes }. 5d832135a971

The powerd(8) utility is now enabled in /etc/rc.conf by default on images for the arm64 Raspberry Pi’s (arm64-aarch64-RPI files). This prevents the CPU clock from running slow all the time. 4347ef60501f

The adduser(8) utility, used by bsdinstall(8), will now create a ZFS dataset for a new user’s home directory if the parent directory resides on a ZFS dataset. A command-line option is available to disable use of a separate dataset. ZFS encryption is also available. 516009ce8d38

The date(1) program now supports nanoseconds. For example: date -Ins prints "2024-04-22T12:20:28,763742224+02:00" and date +%N prints "415050400". eeb04a736cb9 (Sponsored by Klara, Inc.)

The dtrace(1) utility can now generate machine-readable output in JSON, XML, and HTML using libxo(3). aef4504139a4 (Sponsored by Innovate UK)

The lastcomm(1) utility now displays timestamps with a precision of seconds. 692c0a2e80c1 (Sponsored by DSS Gmbh)

The ldconfig(8) utility now supports hints files of either byte order. The default format is the native byte-order of the host. fa7b31166ddb

The usbconfig(8) utility now reads the descriptions of usb vendor and products from /usr/share/misc/usb_vendors when available, similar to what pciconf(8) does. 7b9a772f9f64

The env(1) utility has gained an option to change the directory, which closely resembles the feature in the GNU version of env, although it does not support long options. 08e8554c4a39 (Sponsored by Klara, Inc.)

The ps(1) utility now automatically removes canned displays' columns that contain same data as some explicitly-requested columns. Before this change, if some user requested to add some "canned display" (options -j, -l, -u or -v), columns in it that were duplicates of explicitly-requested ones earlier on the command line were omitted, but this did not work the other way around, when a canned display appears before explicitly-requested columns. Additionally, columns with different keywords but which are aliases to the same keyword are now also considered holding the same data, in addition to columns having the same keyword. cd768a840644 (Sponsored by The FreeBSD Foundation)

The ps(1) utility’s -O option is now more versatile and predictable. The ps(1) display’s list of columns is now first built without taking into account the -O options. In a second step, all columns passed via -O are finally inserted after the built-so-far display’s first PID column (if it exists, else at start), in their order of appearance as arguments to the -O options. 5dad61d9b949 (Sponsored by The FreeBSD Foundation)

The ps(1) utility’s -a and -A options now always show all processes. When combined with other options affecting the selection of processes, except for -X and -x, option -a would have no effect (and -A would reduce to just -x). This was in contradiction with the rule applying to all other selection options stating that one process is listed as soon as any of these options has been specified and selects it, which is both mandated by POSIX and arguably a natural expectation. As a practical consequence, specifying -a or -A now causes all processes to be listed regardless of other selection options such as -U, -p, -G, etc., except for the -X and -x filter options, which continue to apply. In particular, to list only processes from specific jails, one must not use -a with -J. Option -J, contrary to its apparent initial intent, never worked as a filter in practice, except by accident with only -a due to the bug. 93a94ce731a8 (Sponsored by The FreeBSD Foundation)

The ps(1) utility now matches current user’s processes using the effective user ID. Previously, we would match using the real user ID. This puts ps(1) in conformance with POSIX on that topic. 1aabbb25c9f9 (Sponsored by The FreeBSD Foundation)

The ps(1) utility’s -U flag now selects processes by real user IDs. This is what POSIX mandates for option -U and arguably the behavior that most users actually need in most cases. Before, -U would select processes by their effective user IDs (which is the behavior mandated by POSIX for option -u). 995b690d1398 (Sponsored by The FreeBSD Foundation)

The sysctl(8) utility has gained flags to filter jail prison and vnet variables, so users do not have to contact the source code to tell whether a variable is a jail prison / vnet one or not. 615c9ce250ee

The grep(1) utility no longer follows symbolic links by default for recursive searches. This matches the documented behavior in the manual page. fc12c191c087

The mdo(1) utility now supports fully specifying all users and groups in the target credentials. As a convenience, in addition to a full explicit specification, it allows starting from a baseline providing default values for all attributes, which is either the login credentials from some user in the password database or the current credentials, and then amending these attributes selectively. The manual page has been updated to describe the new options and their interactions. 4ffcb1a4a99c (Sponsored by The FreeBSD Foundation) (Sponsored by Google LLC (GSoC 2025))

When booting in single-user mode, init(8) now changes the working directory to /root, using / only as a fallback. The /.profile link to /root/.profile is no more installed. b4b91207ab6f, ca771d7ae527

The deprecated ftpd(8) has been removed from the base system. Users who still need it can install the ftp/freebsd-ftpd port. 259bb93b80c0

The Kerberos v5 database administration program learned how to dump the Heimdal KDC database in a format which can be loaded into the MIT KDC. See https://wiki.freebsd.org/Kerberos/Heimdal2MIT_KDC_Migration for how to use kadmin -l dump -f to transfer/convert the KDC database. 9fd3b28d4e0d, 23fbea8cf2f3

The bsdconfig(8) and bsdinstall(8) utilities now use bsddialog(1) instead of GNU dialog. c36b3dbc99d1, 04b465777a09

The jail(8) command now supports the zfs.dataset parameter to attach a list of ZFS datasets to a jail. e0dfe185cbca

The jail(8) command now supports meta and env parameters, which are arbitrary strings associated with a jail. These parameters can be used to tag jails with specific metadata, or to pass information securely to be accessed inside a jail. They can be added at jail creation, or modified later using jail(8). 30e6e008bc06 (Sponsored by SkunkWerks, GmbH)

The rc.d/jail startup script now supports the legacy variable jail_${jailname}_zfs_dataset to allow unmaintained jail managers like ezjail to leverage the new zfs.dataset feature (see above). 0b49e504a32d

The newsyslog(8) utility now supports specifying a global compression method directly at the beginning of the newsyslog.conf file. All historical compression flags (J, X, Y, Z) then behave as indicating "treat the file as compressible" instead of "compress the file with that specific method.". The following methods are available:

61174ad88e33, 906748d208d3, 39d668f1e09e

One True Awk (awk(1)) has been updated to 2nd Edition, with new -csv support and UTF-8 support. The snapshot used is 20250804. b45a181a74c8 (Sponsored by Netflix)

The system reference manual toolchain, mandoc(1), has been updated to version 1.14.6 snapshot 2025-09-26. This version includes improved compatibility with groff and DocBook, improved html and markdown output, and the deprecation of the LIBRARY section. c1c95add8c80, 80c12959679a, 4c07abdbacf4, 06410c1b5163, 59fc2b0166f7

The jemalloc(3) library has been updated to version 5.3.0. c43cad871720

The bmake(1) build system has been upgraded to 20250804, providing many debugging improvements, bug fixes such as detecting and rejecting gmake syntax, and feature improvements such as a floating point argument to -j being used as a multiple of the number of cpus available.

The sendmail(8) suite has been upgraded to version 8.18.1, addressing CVE-2023-51765. 58ae50f31e95

The bc(1) calculator has been upgraded to 7.1.0. fdc4a7c8012b

The blacklist suite has been renamed upstream to blocklist. Existing setups will continue to work emitting a warning. The snapshot used is 20251026. 4afb96fdd272

The bsddialog(1) utility has been upgraded to 1.0.5. 0595e10ec773

The byacc(1) parser generator has been upgraded to 20240109. 822ca3276345

The libarchive library has been upgraded to 3.8.2. 8a0b57ba54f0

The libcbor library has been upgraded to 0.11.0. 1755b9daa693 (Sponsored by The FreeBSD Foundation)

The libcxxrt library has been upgraded to vendor snapshot 6f2fdfebcd62. d0dcee46d971

The libfido2 library has been upgraded to 1.14.0. 128bace5102e (Sponsored by The FreeBSD Foundation)

The libpcap library has been upgraded to 1.10.5. 26f21a6494b4 (Sponsored by The FreeBSD Foundation)

The ncurses(3) library has been upgraded to 6.5. 21817992b331

The tcpdump(1) utility has been upgraded to 4.99.5. ec3da16d8bc1 (Sponsored by The FreeBSD Foundation)

The unbound DNS validating resolver has been upgraded to 1.24.1. a988846174e0

The llvm compiler infrastructure has been upgraded to 19.1.7-0-gcd708029e0b2. dc3f24ea8a25

The OpenZFS filesystem has been updated to zfs-2.4.0-rc4. 7b5b0f43eb06

The xz(1) data compressors have been updated to 5.8.1. 128836d304d9

The less(1) pager has been updated to v679. 76bafc906926

The file(1) identifier has been updated to 5.46. ae316d1d1cff

The zlib(3) data compression library has been updated to 1.3.1. 6255c67c3d1a

The Time Zone Database, tzdata, has been updated to 2025b. 475082194ac8

OpenSSH has been updated to 10.0p2. .8e28d84935f2 (Sponsored by The FreeBSD Foundation)

OpenSSL has been updated to 3.5.4. c0366f908ff4

Lua has been updated to 5.4.8. 3068d706eabe (Sponsored by Netflix)

The Google Test C testing framework has been updated to 1.15.2. One notable change is that GoogleTest 1.15.x now officially requires C-14 (1.14.x required C++-11). 1d67cec52542

The spleen vt(4) console font has been updated to version 2.1.0. 26336203d32c

MIT KRB5 1.22.1 Kerberos replaces Heimdal 1.5.2 by default. Heimdal 1.5.2 can still be built using the WITHOUT_MITKRB5 flag. Heimdal Kerberos will be entirely removed in FreeBSD 16. See also the note about the -f flag to kadmin -l dump under section Userland Application Changes. ee3960cba106, 0b9a631e0724, 60f970b85e44, 0d1496f0f1e7, cbb6e747af98, 0559f30a882d, ae07a5805b19, f58febc4cefa, 805498e49ae4, 4cb1baa7d85c, 188138106b9f, 4680e7fcc70a, e447c252d0ec, 5f8493bbf479, 110111a6cca1, 2a454b05f2c1, 98d46e05ab08, 6b28571cb6ba, ca9ccf0ce9ad, b98d0566b2bd, fb1ccc04adfe, dd0ec030f8fd, 6c4771c73470, 7b68893ffa9b, 624b7beed5ac, 04764f21855a, 73ed0c7992fd, 40a5abfc3f66, 543b875a8ee4, c791ea80b5f7, 383e7290c0b5, 9a726ef24134, a245dc5d68c7, e26259f48afe, 7d2cfb27d62f, 619feb9dd00e, 10eecc467f32, 0c13e9c3c464, 89c82750da1a, 18a870751b03, ce9c325a2e92, cb3eac927b5d, 5105e1ebecc7, b9b0e105c357, 929f5966a9fd (Sponsored by The FreeBSD Foundation)

The rtw88(4) driver has been updated to Linux v6.17. A possible issue that devices cannot authenticate is still being investigated. c1d365f39e08 (Sponsored by The FreeBSD Foundation)

The rtw89(4) driver has been updated to Linux v6.17. The driver is under-tested and may still have issues. b35044b38f74 (Sponsored by The FreeBSD Foundation)

The iwlwifi(4) driver has been updated to Linux v6.17. The BE200 based chipsets will need newer firmware requiring further driver fixes which are not in this release. 69caa1cf3ce5 (Sponsored by The FreeBSD Foundation)

The setusercontext(3) routine in libutil will now set the process priority (nice) from the .login.conf file from the home directory under appropriate conditions, as well as the system login.conf(5). The priority can now have the value inherit, indicating that the priority should be unchanged from that of the parent process. Similarly, the umask can have the value inherit. c328e6c6ccaa, d162d7e2ad32, f2a0277d3e51 (Sponsored by Kumacom SAS)

Many string and memory operations in the C library now use SIMD (single instruction multiple data) extensions for improved performance when available on amd64 systems; see simd(7). (Sponsored by The FreeBSD Foundation)

There is now a much better implementation of the 128-bit tgammal function in the math library, math(3), on platforms that support it. 8df6c930c151

fma(3) now returns correctly-signed zero when provided certain small inputs (as observed in the Python test suite). dc39004bc670 (Sponsored by The FreeBSD Foundation)

The cap_rights_is_empty function has been added. It reports whether a cap_rights_t has no rights set. e77813f7e4a3 (Sponsored by The FreeBSD Foundation)

libcxxrt has been updated to upstream 6f2fdfebcd62. d9901a23bd2f

The accuracy of asinf(3) and acosf(3) has improved. 33c82f11c267

The setgroups(2) and getgroups(2) system calls and the initgroups(3) library function have been changed to avoid setting or reporting the effective group ID, now only concerning themselves with the supplementary groups. The main purpose of this change is to avoid security issues going forward by becoming compatible with Linux/glibc, OpenBSD, NetBSD and illumos-based systems. Consequently, almost all portable applications should already be compliant with this new behavior and will continue to work correctly or even get fixed in the process (see, e.g., 239e8c98636a for an example affecting OpenSSH). However, out of caution, porters, system administrators and users are advised to audit their applications using setgroups(2), getgroups(2) and initgroups(3), watching out for the following points. Applications must be using setgid(2) or setegid(2) in addition to setgroups(2) or initgroups(3) to set the effective group ID. They must not treat the first element of the array returned by getgroups(2) specially, but instead as any other supplementary group. For more information, please consult the SECURITY CONSIDERATIONS sections that have been added to the setgroups(2), getgroups(2) and initgroups(3) manual pages. Compatibility system calls and library functions have been provided so that binaries and libraries compiled on FreeBSD 14 systems or earlier will continue to work exactly as before. 9da2fe96ff2e, 8878569103a3, 7132fb5edbc9, 2932e6f59bff, 8878569103a3 (Sponsored by The FreeBSD Foundation)

libc contains compatibility functions enabling running executables/libraries compiled for older versions of FreeBSD. Those that are themselves using compatibility system calls would not reference them correctly, causing misbehavior at runtime. This has been fixed. 47f5f89dbd27 (Sponsored by The FreeBSD Foundation)

The readdir_r(3) function is deprecated and may be removed in future releases. Using it in a program will result in compile-time and link-time warnings. 2bd157bc732a (Sponsored by Klara, Inc.)

The runtime linker rtld(1) has grown support for the static linker flag specified by -z initfirst. 78aaab9f1cf3 (Sponsored by The FreeBSD Foundation)

The Gallant font for vt(4) has been updated with more than 4300 new glyphs, including support for Greek, Cyrillic, International Phonetic Association Extensions, Extended Latin characters, Zapf Dingbats, Tons of arrows, Tons of mathematical symbols, Letterlike symbols and enclosed alphanumerics, Pixel-perfect box drawing, Currency symbols, More punctuation, Just enough Katakana to say コンニチハ, Powerline glyphs in the Private Use Area at U+e0a0. 9e8c1ab0976c

Unicode support has been updated to 16.0.0 and CLDR to 45.0.0. ddfc6f84f242

fdisk(8) has been deprecated in favor of gpart(8) for a long time but has not been removed, running this application will show a warning to migrate to gpart(8). 3958be5c29da (Sponsored by The FreeBSD Foundation)

Deprecation notice for syscons(4) has been added. syscons(4) is not compatible with UEFI, does not support UTF-8, and is Giant-locked. There is no specific timeline yet for removing it, but support for the Giant lock is expected to go away in one or two major release cycles. 8c922db4f3d9 (Sponsored by The FreeBSD Foundation)

The shar utility has been removed. It lives on as a port at sysutils/freebsd-shar. 3fde39073c72

The cryptographically weak DSA signature algorithm was removed from OpenSSH, following upstream.

The publickey(5) database has been removed, This uses DES and we hope that nobody uses that in 2025. 9197c04a251b

ktrace(2) will now record detailed information about capability mode violations. The kdump(1) utility has been updated to display such information. 9bec84131215, 96c8b3e50988, 05296a0ff616, 6a4616a529c1, 0cd9cde767c3, aa32d7cbc92c

FreeBSD now natively implements the Linux inotify(2) interface. The system calls themselves are not API-compatible, but libc provides an API-compatible interface, so software which relies on inotify can be run unmodified. f1f230439fa4, (Sponsored by Klara, Inc.)

The fpu_kern_enter and fpu_kern_leave routines have been implemented for powerpc, allowing the use of ossl(4) crypto functions in the kernel that use floating point and vector registers. 91e53779b4fc

Support legacy PCI hotplug on arm64. 355f02cddbf0. (Sponsored by Arm Ltd)

Jails can now be accessed via jail descriptors in jail_set(2) and jail_get(2), as well as the new jail_attach_jd(2) and jail_remove_jd(2) syscalls. They allow manipulation of jails through the file descriptor interface without the race conditions inherent in jail IDs, and can also optionally control jail lifetime. 851dc7f859c2

Jails and jail descriptors now have associated kevent(2) filters that allow tracking jail creation, changes, attachment, and removal. 1bd74d201a53 9d7f89ef2607

A new common 'mac' node for MAC modules' jail parameters has been created. All future MAC modules' jail parameters will appear under this node. See mac(4) for an introduction to MAC. First consumer is mac_do(4). 5041b20503db, f3a06ced2568 (Sponsored by The FreeBSD Foundation)

mac_do(4) is now considered production-ready, after a number of important fixes. bbf8af664dc9, 292c814931d9, 53d2e0d48549, add521c1a5d2, 2a20ce91dc29, fa4352b74580, 3d8d91a5b32c, 8f7e8726e3f5, 89958992b618 (Sponsored by The FreeBSD Foundation)

mac_do(4) now supports changing rules within jails with the security.mac.do.rules sysctl(8) knob. b3f93680e39b (Sponsored by The FreeBSD Foundation)

Introduce the setcred(2) system call and associated MAC hooks. This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved user IDs, effective, real and saved group IDs, supplementary groups and the MAC label. Besides providing atomicity, its advantage over standard credentials-setting system calls, such as setuid(), seteuid(), etc., is that it enables MAC modules, such as mac_do(4), to restrict the set of credentials some process may gain in a fine-grained manner, as they can now see the final desired state and compare it with the initial one. ddb3eb4efe55 (Sponsored by The FreeBSD Foundation)

Support multiple users and groups as single rule’s targets in mac_do(4). Supporting group targets is a requirement for mac_do(4) to be able to enforce a limited set of valid new groups in the target credentials and to allow group-only credentials transitions. The allowed groups are tied to one or multiple user IDs. Multiple users and groups in a rule’s target part are treated as alternatives (inclusive disjunction), except for the clauses expressing the mandatory presence or absence of a supplementary group. The rules syntax has been changed incompatibly, but migrating existing rules is just a matter of adding uid= in front of the target part, substituting commas (,) with semi-colons (;) and colons (:) with greater-than signs (>). Please consult the mac_do(4) manual page for more information. 83ffc412b2e9, 8f7e8726e3f5, f01d26dec67f (Sponsored by The FreeBSD Foundation)

Teach sysctl(8) to attach and run itself in a jail. This allows the parent jail to retrieve or set kernel state when child does not have sysctl(8) installed (for example light weighted OCI containers or slim jails). This is especially useful when manipulating jail prison or vnet sysctls. For example, sysctl -j foo -Ja or sysctl -j foo net.fibs=2. 8d5d7e2ba3a6.

Enable vnet sysctl(9) variables to be loader tunable. In 3da1cf1e88f8, the meaning of the flag CTLFLAG_TUN is extended to automatically check if there is a kernel environment variable which shall initialize the SYSCTL during early boot. It works for all SYSCTL types both statically and dynamically created ones, except for the SYSCTLs which belong to VNETs. Note that the implementation has a limitation. It behaves the same way as that of non-vnet loader tunables. That is, after the kernel or modules being initialized, any changes (for example via kenv) to kernel environment variable will not affect the corresponding vnet variable of subsequently created VNETs. To overcome it, TUNABLE_XXX_FETCH can be used to fetch the kernel environment variable into those vnet variables during vnet constructing. 894efae09de4

sound(4): Allocate vchans on-demand. Refactor pcm_chnalloc() and merge with parts of vchan_setnew() (now removed) and dsp_open()’s channel creation into a new dsp_chn_alloc() function. The function is responsible for either using a free HW channel (if vchans are disabled), or allocating a new vchan. hw.snd.vchans_enable (previously hw.snd.maxautovchans) and dev.pcm.X.{play|rec}.vchans now work as tunables to only enable/disable vchans, as opposed to setting their number and/or (de-)allocating vchans. Since these sysctls do not trigger any (de-)allocations anymore, their effect is instantaneous, whereas before it could have frozen the machine (when trying to allocate new vchans) when setting dev.pcm.X.{play|rec}.vchans to a very large value. 960ee8094913. (Sponsored by The FreeBSD Foundation)

The hw.snd.version sysctl(8) knob was removed. 7398d1ece5cf (Sponsored by The FreeBSD Foundation)

The unit.* code in sound(4) was retired, and as part of that the hw.snd.maxunit loader(8) tunable was removed. 25723d66369f (Sponsored by The FreeBSD Foundation)

Gradual slowdowns and freezes experienced by owners of some AMD GPUs using the amdgpu DRM driver from the drm-kmod ports, starting with v5.15 (graphics/drm-515-kmod port), have been fixed. In particular, owners of graphics cards with Green Sardine, Polaris 10 and 20 and Vega chips were known to be affected. Recent Intel-based GPUs (gen 13+) may also have been affected. 718d1928f874, 4ca9190251bb, 986edb19a49c, 9d1f3ce79d85, da257e519bc0 (Sponsored by The FreeBSD Foundation)

The code iterating over memory domains (NUMA) was improved and fixed in a number of ways, resulting in particular in decreased latency for some graphical operations with DRM drivers. da257e519bc0, 83ad6d8d8eee, b15ff7214020 (Sponsored by The FreeBSD Foundation)

The effective group ID is now stored in the new cr_gid field of struct cred and has been removed as the first element of cr_groups[], which now only contains the supplementary groups. All downstream and out-of-tree modules using cr_groups[0] must be fixed to use cr_gid instead, and surrounding code that loops on cr_groups[] elements excluding cr_groups[0], i.e., that intends to act on supplementary groups only, also needs to be adjusted as now supplementary groups start at &cr_groups[0] instead of &cr_groups[1]. Code that needs to be portable to both 15.0 and earlier versions can use cr_gid, which existed also previously as a macro, and can test the truth value of &cr_groups[0] != &cr_gid to know how to browse the supplementary groups adequately. be1f7435ef21 (Sponsored by the FreeBSD Foundation)

On amd64, FreeBSD now supports more than 4TB of RAM on modern machines that have the LA57 CPU feature. d390633cf8cf (Sponsored by the FreeBSD Foundation)

On amd64, handling of the %fsbase/%gsbase registers and tls base were reworked, making it more useful for apps that directly manipulate CPU context. 68ba38dad3 (Sponsored by the FreeBSD Foundation)

The tty(4) terminal interface now has the IUTF8 flag, which enables proper UTF-8 backspacing handling, set by default, suiting the default UTF-8 locale. bb830e346bd5

A driver is available for ice(4) Ethernet network controllers in the Intel E800 series, which support 100 Gb/s operation. It was upgraded to version 1.43.2-k. 38a1655adcb3 (Sponsored by Intel Corporation)

Numerous stability improvements have gone into the iwlwifi(4) driver for Intel Wi-Fi devices. (Sponsored by The FreeBSD Foundation)

Multiple PCI MCFG regions are now supported on amd64, allowing PCI configuration space access for domains (segments) other than 0. 4b5f64408804

The smsc(4) Ethernet driver can now fetch the value of smsc95xx.macaddr passed by some Raspberry Pi models and use it for the MAC address. It always uses a stable MAC address even if there is no address in EEPROM. 028e4c6548e4

The snd_clone framework has been removed from the sound subsystem, including related sysctls, simplifying the system. The per-channel nodes (/dev/dspX.Y) are no longer created, just the primary device (/dev/dspX). e6c51f6db8d7 (Sponsored by The FreeBSD Foundation)

Audio now supports asynchronous device detach. This greatly simplifies hot plugging and unplugging of things such as USB headsets, and eases use of PulseAudio in cases that require operating system sleep and wake (suspend and resume). d692c314d29a (Sponsored by The FreeBSD Foundation)

ice_ddp has been upgraded to 1.3.41.0. a9d78bb714e3 (Sponsored by Intel Corporation)

Tiger Lake-H support has been added to the hda(4) driver. dbb6f488df6e

Meteor Lake support has been added to the ichsmb(4) driver. 14c22e28e4ee (Sponsored by Framework Computer Inc) (Sponsored by The FreeBSD Foundation)

Meteor Lake support has been added to the ig4(4) driver. 56f0fc0011c2

Support for Realtek 8156/8156B has been moved from cdce(4) to ure(4) for improved performance and reliability. 630077a84186 (Sponsored by The FreeBSD Foundation)

Support for ACPI GPIO _AEI objects has been added. 1db6ffb2a482 (Sponsored by Amazon)

nvme(4) and nvmecontrol(8) have been enabled on all architectures. 24687a65dd7f, aba2d7f89dcf (Sponsored by Chelsio Communications and Netflix)

mpi3mr(4) driver version has been updated to 8.14.0.2.0. e6d4b221ba7c

mpi3mr(4) MPI Header has been updated to Version 36. This aligns with the latest MPI specification. This includes updated structures, field definitions, and constants required for compatibility with updated firmware. 60cf1576501d

The mpi3mr(4) driver is now in GENERIC. e2b8fb2202c2

iwmbtfw(4): Add support for 9260/9560 bluetooth adapters. Required firmware files are already included in to comms/iwmbt-firmware port. 8e62ae9693bd

ena(4) driver version has been updated to v2.8.1. a1685d25601e (Sponsored by Amazon, Inc.)

bnxt(4): Enable NPAR support on BCM57504 10/25GbE NICs. 54f842ed8897

bnxt(4): Add 5760X (Thor2) PCI IDs support. Add Thor2 PCI IDs. 45e161020c2d

bnxt(4): Add support for 400G speed modules. 32fdad17f060

ix(4): Add support for 1000BASE-BX SFP modules. Add support for 1Gbit BiDi modules. Add support for Intel Ethernet Network Adapter E610. 89d4096950c4 dea5f973d0c8

igc(4): Fix attach for I226-K and LMVP devices. The device IDs for these were in the driver’s list of PCI ids to attach to, but igc_set_mac_type() had never been setup to set the correct mac type for these devices. Fix this by adding these IDs to the switch block in order for them to be recognized by the driver instead of returning an error. This fixes the igc(4) attach for the I226-K LOM on the ASRock Z790 PG-ITX/TB4 motherboard, allowing it to be recognized and used. f034ddd2fa38.

Remove old itr sysctl handler from em(4). This implementation had various bugs. The unit conversion/scaling was wrong, and it also did not handle 82574L or igb(4) devices correctly. With the new AIM code, it is expected most users will not need to manually tune this. edf50670e215 (Sponsored by BBOX.io)

Added support for Brainboxes USB-to-Serial adapters in uftdi(4). 47db906375b5

The iwx(4) driver has been added, supporting the Intel Wi-Fi 6 series of M.2 wireless network adapters. 2ad0f7e91582 (Sponsored by The FreeBSD Foundation)

A new cellular modem driver supports USB network devices implementing the Mobile Broadband Interface Model (MBIM): umb(4). The accompanying umbctl(8) tool is used to display or set MBIM cellular modem interface parameters (4G/LTE). 0f1bf1c22a0c (Sponsored by The FreeBSD Foundation)

smbios(4) now searches for the SMBIOS v3 (64-bit) entry point first also if booted from BIOS. This allows to detect and report the proper SMBIOS version with BIOSes that only provide the v3 table, as happens on Hetzner virtual machines. For machines that provide both, leverage the v3 table in priority consistently with the case of EFI boot. bc7f6508363c (Sponsored by The FreeBSD Foundation)

The usbhid(4) driver is now enabled by default, and is used in preference to other USB HID drivers like ukbd(4), ums(4), and uhid(4). Supported device classes now include:

FIDO/U2F security tokens continue to be supported through the autoloaded u2f(4) driver. Device names and protocol handling for these devices are unchanged. 74072e9f16c1 (Sponsored by The FreeBSD Foundation)

The udbc(4) driver has been added enabling host side debugging of targets using xHC debug. d566b6a70bcb (Sponsored by The FreeBSD Foundation)

The ufshci(4) driver has been added, supporting Universal Flash Storage (UFS) host controllers. 1349a733cf28 (Sponsored by Samsung Electronics)

The mlx5(4) driver now supports inline IPSEC offload on Nvidia ConnectX-6+ network cards, leveraging the new in-kernel IPSEC offload infrastructure. e23731db48ef (Sponsored by NVIDIA networking)

Support for the watchdog timer in Intel 6300ESB I/O controller hub has been included in the ichwd(4) driver. This is intended primarily for QEMU users, where that watchdog timer serves as the default and only one for x86 virtual machines. 2b74ff5fceb6

The qat(4) driver has grown support for the 402xx device with ID 0x4944/0x4945. 138e36514fe8 (Sponsored by Intel Corporation)

The agp(4) bus driver has been deprecated and planned for removal in FreeBSD 16.0. 92af7c97e197 cadadd1a0398

The IBM PC floppy disk controller, fdc(4), and related utilities have been deprecated and planned for removal in FreeBSD 16.0. 4c736cfc69a7 (Sponsored by The FreeBSD Foundation)

The firewire(4) bus and related drivers have been deprecated and planned for removal in FreeBSD 16.0. fc889167c319 (Sponsored by The FreeBSD Foundation)

The le(4) Ethernet driver has been deprecated and planned for removal in FreeBSD 16.0. e4d6433e9c03 (Sponsored by The FreeBSD Foundation)

syscons(4) has been planned for removal in future releases, and has been noted as deprecated in the manual pages to notify users to migrate to vt(4). 2bc5b1d60512 (Sponsored by The FreeBSD Foundation)

The upgt(4) USB 802.11g driver has been deprecated and planned for removal in FreeBSD 16.0. 7f8a5c5a1585 (Sponsored by The FreeBSD Foundation)

Add Solaris style extended attributes (called named attributes in NFSv4). At this time, only ZFS, specifically filesystem datasets that have their xattr property set to dir, and NFSv4 support them. The attributes are presented in a directory as regular files. See named_attribute(7) for more information. 2ec2ba7e232d, df58e8b1506f, f61844833ee8, b1b607bd200f, ee95e4d02dbd

Add support for accessing remote NVMe over Fabrics controllers over the TCP transport. New commands added to nvmecontrol(8) are used to establish connections to remote controllers. Once connections are established they are handed off to the nvmf(4) kernel module which creates nvmeX devices and exports remote namespaces as nda(4) disks. a1eda74167b5, 1058c12197ab (Sponsored by Chelsio Communications)

Add support for exporting namespaces to remote NVMe over Fabrics hosts over the TCP transport. The nvmft(4) kernel module adds a new frontend to the CAM target layer which exports ctl(4) LUNs as NVMe namespaces to remote hosts. The ctld(8) daemon now supports NVMe controllers in addition to iSCSI targets and is responsible for accepting incoming connection requests and handing off connected queue pairs to nvmft(4). a15f7c96a276, 66b5296f1b29 (Sponsored by Chelsio Communications)

Add support for dynamically resizing NVMe namespaces. The nvd(4) and nda(4) drivers now notify geom of sizes changes in real time. 86d3ec359a56 (Sponsored by Netflix)

The default value of the nfs_reserved_port_only rc.conf(5) setting has changed. The FreeBSD NFS server now requires the source port of requests to be in the privileged port range (i.e., ≤ 1023), which generally requires the client to have elevated privileges on their local system. The previous behavior can be restored by setting nfs_reserved_port_only=NO in rc.conf(5). 6d5ce2bb6344 (Sponsored by The FreeBSD Foundation)

Define a new -a command line option mountd(8) that prevents exporting a file system with the -alldirs flag if the directory path is not a server file system mount point. 07cd69e272da

The layout of NFS file handles for the tarfs(4), tmpfs(4), cd9660(4), and ext2fs(4) file systems has changed. An NFS server that exports any of these file systems will need its clients to unmount and remount the exports. 4db1b113b151, 1ccbdf561f41, 205659c43d87, cf0ede720391, 8ae6247aa966 (Sponsored by The FreeBSD Foundation)

The mountd(8) server has been modified to use strunvis(3) to decode directory names in exports(5) file(s). This allows special characters, such as blanks, to be embedded in the directory name. vis -M may be used to encode such directory names; see vis(1). 2c83f1ada435

Allow to specify as many groups as configured to be supported by the system in -maproot or -mapall options in exports(5). Previously, the cap was NGROUPS_MAX + 1, where NGROUPS_MAX is just the minimum maximum of the number of allowed supplementary groups. Now use the proper {NGROUPS_MAX} + 1 value, with {NGROUPS_MAX} being fetched at runtime via sysconf(3). e87848a8150e (Sponsored by The FreeBSD Foundation)

New sysctl(8) variables have been added under kern.rpc.unenc and kern.rpc.tls, which allow an NFS server administrator to determine how much NFS-over-TLS is being used. A large number of failed handshakes might indicate an NFS configuration problem. b8e137d8d32d

The utilization of NFSv4.1/4.2 delegations was improved when the nocto mount option is used. This requires an up-to-date NFSv4.1/4.2 server with delegations enabled. For example, when building a FreeBSD kernel with both src and obj NFSv4 mounted, the total RPC count drops from 5461286 to 945643, with a 20% drop in elapsed time. 171f66b0c2ca, 50e733f19b37

New support for the NFSv4.2 Clone operation, which uses block cloning to "copy on write" files on an NFS server. This only works for exported ZFS file systems that have block cloning enabled, at this time. cce64f2e6851

Soft updates are now enabled by default when creating a new UFS file system with newfs(8). 6b2af2d88ffd

Reliability of UFS on volumes with more than 2G of inodes is significantly improved. The underlying issue was the invalid interpretation of the 32-bit inode number as signed, which got sign-extended into ino_t. c069ca085bd1, e36f069ecb47 (Sponsored by The FreeBSD Foundation)

Defer the January 19, 2038 date limit in UFS1 filesystems to February 7, 2106. This affects only filesystems with old UFS1 format. See the commit message for details. 1111a44301da

Add support to VOP_COPY_FILE_RANGE() for block cloning. At this time, ZFS is the only local file system that supports this and only if block cloning is enabled. NFSv4.2 also supports it. See pathconf(2) and copy_file_range(2) for more information. 37b2cb5ecb0f

Support for vinum volumes has been removed. f87bb5967670, e51036fbf3f8

FreeBSD now implements the SO_SPLICE interface, originally from OpenBSD. This features allows userspace applications to splice two connected TCP sockets together, after which data arriving on one socket is automatically forwarded through the socket to which it is spliced, instead of being delivered to the application. a1da7dc1cdad (Sponsored by Klara, Inc.) (Sponsored by Stormshield)

ARP (arp(4)) support for 802-standard networks has been restored; it had been accidentally removed with FDDI support. (This is different than the Ethernet standard encapsulation.) d776dd5fbd48

It is possible to build a kernel with IPv6 support (INET6) without IPv4 (INET). 6df9fa1c6b83 and others

The netgraph ng_ipfw(4) module no longer truncates cookies to 16 bits, allowing a full 32 bits. dadf64c5586e

AIM (Adaptive Interrupt Moderation) support has been added to the igc(4) driver. 472a0ccf847a (Sponsored by Rubicon Communications, LLC ("Netgate") and BBOX.io)

This feature has also been added to the lem(4), em(4) and igb(4) drivers. A major regression in UDP performance introduced in FreeBSD 12.0, including NFS over UDP, is believed to be fixed with this change. 49f12d5b38f6 (Sponsored by Rubicon Communications, LLC ("Netgate") and BBOX.io)

Teach ip6addrctl(8) to attach and run itself in a jail. This will make it easier to manage address selection policies of vnet jails, especially for those light weighted OCI containers or slim jails. b709f7b38cc4

The pf(4) packet filter has learned a new runtime loader.conf(5) tunable, 'net.pf.default_to_drop', as well as a compile time option, PF_DEFAULT_TO_DROP, making the default rule to drop. 7f7ef494f11d, 3965be101c43

A new pf(4) route-to pool option "prefer-ipv6-nexthop" allows for routing IPv4 packets over IPv6 gateways. 65c318630123 d2761422eb0a (Sponsored by InnoGames GmbH)

pf(4) now supports the OpenBSD style NAT syntax. It is possible to use "nat-to", "rdr-to" and "binat-to" on "pass" and "match" rules. The old "nat on …​" syntax can still be used. e0fe26691fc9 (Sponsored by InnoGames GmbH)

The pfsync(4) protocol has been updated to synchronize multiple missing attributes. This fixes synchronizing of states with route-to, af-to, rtable, dummynet, tags, and scrub options. If synchronization with an older version of FreeBSD is needed the protocol version can be configured with ifconfig pfsync0 version $VERSION where $VERSION is 1301 for 13.X relases or 1400 for 14.X. It defaults to 1500 for synchronization between hosts running FreeBSD 15.0. 99475087d63b (Sponsored by InnoGames GmbH)

Kernel TLS support is now enabled by default in GENERIC (default) kernels for aarch64, amd64, powerpc64, and powerpc64le. b2f7c53430c3 (Sponsored by Chelsio Communications)

The net.inet.{tcp,udp,raw}.bind_all_fibs tunables have been added. They default to 1 for backwards compatibility. Setting them to 0 modifies the corresponding protocol’s socket behavior such that packets not originating from an interface in the same FIB as the socket are ignored. In this case, TCP and UDP sockets belonging to different FIBs may also be bound to the same address. The default behavior is unmodified. 5dc99e9bb985, 08e638c089ab, 4009a98fe80b (Sponsored by Klara, Inc.) (Sponsored by Stormshield)

Making a connection to INADDR_ANY, i.e., using it as an alias for localhost, is now disabled by default. This functionality can be re-enabled by setting the net.inet.ip.connect_inaddr_wild sysctl to 1. cd240957d7ba (Sponsored by The FreeBSD Foundation)

New in-kernel inline IPSEC offload infrastructure. See also the note about the mlx5(4) driver supporting it. ef2a572bf6 (Sponsored by NVIDIA networking)

A new ngctl(8) flag, -j, allows it to attach and run inside a jail, making it possible to manipulate netgraph nodes in a jail even if ngctl(8) is not installed inside it. 72d01e62b082

sockstat(4) will show UDP-Lite endpoints by default. 978615d7bf7c

Kernel compatibility code supporting ipfw(8) binaries from FreeBSD 7 and 8 has been removed. 660255be1ed9 (Sponsored by The FreeBSD Foundation)

Lots of improvements to the network stack, including performance improvements and bug fixes for the sctp(4) stack.

Descriptors returned by sctp_peeloff(2) now inherit Capsicum capability rights(4) from the parent socket. ae3d7e27abc9 (Sponsored by The FreeBSD Foundation)

The default value of the sysctl variable net.inet.tcp.nolocaltimewait has changed from 1 to 0. This means that FreeBSD does not skip the TIME_WAIT state anymore for endpoints for which the remote address is local. The new sysctl variable net.inet.tcp.msl_local can be used to control the time these endpoints stay in the TIME_WAIT state. The sysctl variable net.inet.tcp.nolocaltimewait is deprecated and intended to be removed in FreeBSD 16. c3fc0db3bc50 (Sponsored by Netflix)

The local stream (AF_UNIX/SOCK_STREAM) and sequenced packet stream (AF_UNIX/SOCK_SEQPACKET) sockets have been improved for better bulk transfer and round trip times. The SOCK_SEQPACKET socket has been brought to the specification and now behaves as a true stream socket, while in previous FreeBSD releases it could exhibit features of a datagram socket. Applications that were using SOCK_SEQPACKET incorrectly and relied on old implementation bugs may need to be adjusted. d15792780760

The LinuxKPI 802.11 compatibility layer linuxkpi_wlan(4) gained support for the Galois/Counter Mode Protocol (GCMP) from wlan_gcmp(4). (Sponsored by The FreeBSD Foundation)

Following other drivers iwlwififw(4) firmware was removed from the base system in favor of the ports based solution and fwget(8) support. In case of updating from earlier releases, users must install the firmware packages upfront. (Sponsored by The FreeBSD Foundation)

The iwlwifi(4) wireless driver supports 802.11ac (VHT) for some Intel Wi-Fi 5, and all of Intel Wi-Fi 6 and Wi-Fi 7 hardware. (Sponsored by The FreeBSD Foundation) The iwx(4) wireless driver supports 802.11ac (VHT) for Intel Wi-Fi 6 hardware. (Sponsored by The FreeBSD Foundation) The rtwn(4) wireless driver supports 802.11ac (VHT) for the RTL8812A and RTL8821A chipsets. The rtw89(4) wireless driver supports 802.11g for some Realtek Wi-Fi 6 and Wi-Fi 7 hardware. a2d1e07f6451 (Sponsored by The FreeBSD Foundation)

bhyve(8) and vmm(4) now support the arm64 and riscv platforms. The sysutils/u-boot-bhyve-arm64 and sysutils/u-boot-bhyve-riscv ports provide boot loaders for use on these platforms. 47e073941f4e d3916eace506 (Sponsored by Arm Ltd) (Sponsored by Innovate UK) (Sponsored by The FreeBSD Foundation) (Sponsored by University Politehnica of Bucharest)

bhyve(4) now supports a "slirp" networking backend, which enables unprivileged user networking. Currently only inbound connections to the guest are supported, outbound connections from the guest are not. This feature requires the net/libslirp port. c5359e2af5ab (Sponsored by Innovate UK)

bhyve(4) now may configure a NUMA topology for guest memory. Furthermore, it is possible to define a domainset(9) policy for each guest NUMA domain, wherein the host memory used to back the guest physical memory of each guest NUMA domain can be specified, akin to cpuset(1)'s -n option. This is supported only for amd64 guests for now. f1d705d4f431

The VNC server in bhyve(8) will now show the correct colors when using the www/novnc client. f9e09dc5b1d5

When running bhyve(8) guests with a boot ROM, i.e., bhyveload(8) is not used, bhyve now assumes that the boot ROM will enable PCI BAR decoding. This is incompatible with some boot ROMs, particularly outdated builds of edk2-bhyve. To restore the old behavior, add pci.enable_bars='true' to your bhyve configuration. Note that the uefi-edk2-bhyve package has been renamed to edk2-bhyve. e962b37bf0ff (Sponsored by Innovate UK)

amd64 bhyve(8)'s lpc.bootrom and lpc.bootvars options are deprecated. Use the top-level bootrom and bootvars options instead. 43caa2e805c2 (Sponsored by Innovate UK)

The NVMM hypervisor is now detected. 34f40baca641

Under Hyper-V, TLB flushes are now performed using hypercalls rather than IPIs, providing up to a 40% improvement in TLB performance. 7ece5993b787 (Sponsored by Microsoft)

The AT_NO_AUTOMOUNT flag is now ignored for all Linuxulator stat() variants (as the behavior specified by the flag already matches FreeBSD’s), improving Linux application compatibility. 99d3ce80ba07 (Sponsored by The FreeBSD Foundation)

The Linux inotify(2) system calls are now implemented in the Linuxulator. (Sponsored by Klara, Inc.)

A new freebsd-base(7) manual provides details on the layout of base system packages and how to update a system with them. e1632b827b1a

Manual pages on filesystems have been moved to section four, the Kernel Interfaces Manual. 1687d77197c0

The builtin(1) manual has been rewritten featuring streamlined information and a new section on keybindings that are built into the FreeBSD CLI. 42df4faf7004

A new networking(7) manual page provides a quickstart guide to connecting the system to networks including Wi-Fi, and links to other manual pages and the handbook. 39f92a4c4c49

The build(7) manual has been revised to incorporate instructions on building the system from source. 275f61111f43

Refer to graid(8) and zfs(8) instead of gvinum(8) in ccdconfig(8). 55cb3a33d920

The ps(1) manual page has been revamped to explain the general principles, and descriptions in there have been updated to match reality. The preamble has been revamped to give a thorough overview of the different aspects of the ps(1) command. The description of several options and some keywords have been fixed to match their actual behavior and/or expanded. The STANDARDS and BUGS sections have been expanded. ddf144a04b53 (Sponsored by The FreeBSD Foundation)

The mac_do(4) manual page has been revamped as part of adding support for multiple users and groups as single rule’s targets, which lead to changing the rules syntax. In particular, it has grown a JAIL SUPPORT and SECURITY CONSIDERATIONS sections. bc201841d139 (Sponsored by The FreeBSD Foundation)

The existing content of the mdo(1) manual page has been enriched as part of documenting the new support for fully specifying all users and groups in the target credentials. It has now a longer introduction and a new SECURITY CONSIDERATIONS section. 20ebb6ec5ac0 (Sponsored by The FreeBSD Foundation) (Sponsored by Google LLC (GSoC 2025))

The ethernet switch controllers, mtkswitch(4), ip17x(4), ar40xx(4), and e6000sw(4) have gained initial manual pages. 37f00bc257d, f750a114d2c, 91c975c3913, 6da793a8caa

mount(8) has gained an example for remounting all filesystems read/write in single-user mode. c3e06b23b417

Manual pages for the lua loader(8) modules have had their descriptions reworded to optimize apropos(1) results. 5d59c1b4f14e

The manual pages style guide, style.mdoc(5), has gained a section for listing supported hardware. When listed this way, the supported hardware will be listed in the supported hardware notes. Many manuals have had this section added or reworded in this release.

Much work has gone into adding sysctl(8)s and environment variables to the manual. Try searching for them with apropos Va=here.is.the.sysctl or apropos Ev=here_is_the_environment_variable.

The intro(1) to the General Commands manual has been revised, incorporating a statement about installing additional commands, and a listing of cannonical command directories. cc0af6d5a6c2

The intro(2) to the System Calls manual has been revised, incorporating links and a HISTORY section from OpenBSD. 9a62cdc01327, 69ff2d754c1c, 6dfbe695c322, de525c502a3a, d846f33bb6d4, 4696ca7baf2f, 9e8df7900f52, bcc57e971597

The intro(5) to the File Formats manual has been revised, incorporating improvements from OpenBSD. 8d65152cbfc8, 26ec37653662, 37508388d066, a6175f28da70

The filesystem hierarchy index manual, hier(7), has been revised, incorporating a great deal of crossreferences, and increased detail on /usr/local.

The FreeBSD installer, bsdinstall(8), now supports downloading and installing firmware packages after the FreeBSD base system installation is complete. 03c07bdc8b31 (Sponsored by The FreeBSD Foundation)

The bootonly ISO and mini-memstick image now include the net/wifi-firmware-iwlwifi-kmod and net/wifi-firmware-rtw88-kmod packages, making installations possible over a wireless connection (on systems supported by these firmware packages). 655fcdde1aff (Sponsored by The FreeBSD Foundation)

The net/wifi-firmware-kmod@release package has been added to the DVD ISO, providing firmware for a broader set of Wi-Fi drivers. 8c6df7ead19c (Sponsored by The FreeBSD Foundation)